The present invention generally concerns a high assurance security gateway interconnecting different domains and particularly in embedded infrastructures.
In most industrial fields, it is usual to have different systems with different applications communicating with each other in order to achieve an assignment. Each application may be considered as a set of functions and each function is a piece of software contributing to execute a part of the task to be accomplished by the application. For example, many different types of equipment in a vehicle or an aircraft need to exchange data with each other through a communication system in order to accomplish the maneuvering of the vehicle or the aircraft. Each type of equipment may have a specific set of functions or applications with different levels of criticality depending on their importance. A specific level of security is associated to each application as a function of the criticality of that application. Therefore, it is important and practically useful to establish a mechanism that allows an efficient exchange of information between applications in domains having different security levels without compromising their security.
One solution would consist of physically separating the different applications by hosting each one on a different physical system and connecting them via a network channel. The data exchange via this network channel needs to be controlled by a control means for securing information exchange.
A computing resource of an embedded environment used to be barely enough to host one function. However nowadays, due to the current growing efficiency of computing resources, the trend is exactly the opposite and consists of putting several applications or functions on the same physical system in order to use the full computing power and memory storage capabilities offered by that system. This enables the avoidance of wasting unused resources and thus reduces the production costs as well as the overall weight of the system which is very important for an aircraft, a satellite or a vehicle. This architecture has however the disadvantage of facilitating the propagation of errors. Indeed, any design or implementation error on one part of the system may lead to failures impacting on other parts of the system. This difficulty is solved for example in the aircraft environment by existing IMA (Integrated Modular Avionics) architectures addressing design or implementation error propagation from one part of the system to another in regard to the safety perspective. Moreover, in recent years, virtualization techniques have been developed in order to take into account security aspects relative to malicious attempts. Thus, nowadays the trend is to host several applications on the same physical system by providing a good level of assurance for the strict runtime environment segregation between the different applications. One such security architecture is MILS (Multiple Independent Levels of Security) built upon strict segregation properties for the execution environments and strict communication paths. Indeed, MILS architecture enables a system to host several applications or functions with different or the same levels of security without any interference between these applications.
However, the problem remains of how to protect the security of several applications characterized by different security levels while authorizing the bidirectional information exchange between them. For example, if for one reason or another, a part of the system becomes malicious, it is needed to prevent the latter from trying to deliberately damage the other parts of the system.
There exist some security techniques that partly solve the problem of communication with different levels of security.
One such a technique is the Bell-La Padula model which addresses confidentiality aspects. This model is based on a “no write down, no read up” strategy. In other words, a first domain with a high security level is not allowed to write or communicate any data to a second domain with a low security level but is allowed to read data from the latter. On the other hand, the second domain with a low security level is not allowed to read data from the first domain with a high security level but is authorized to write data into it.
Another known method is the Biba integrity model defining a set of access rules designed to ensure data integrity. This model is based on a “no read down, no write up” strategy. In other words, a first domain with a high security level is not allowed to read or use any data from a second domain with a low security level. On the other hand, the second domain is not allowed to write or communicate any data to the first domain with a higher security level.
It is clear that the above two models cannot be implemented simultaneously. Thus, in order to authorize a bidirectional communication between two domains respecting both models at the same time, complex application level proxies should be implemented. However, complex proxies are very difficult to analyze at high assurance levels.
Indeed, the difficulty in certifying complex proxies is reasoned by their software architecture, since they consolidate several functionalities and are implemented by a significant amount of software code (i.e., several hundreds of thousands lines of code). The Common Criteria standard provides a framework and guidance for the security certification of computer systems. This standard defines seven EALs (Evaluation Assurance Levels). EAL 7 provides the highest level of assurance but also requires formal modelling of the system under evaluation. Security evaluations presenting a level higher than EAL 4 are internationally not recognized. Thus, a system claiming high EAL levels requires multiple certifications from the different countries where the system is to be used.
The purpose of the present invention is therefore to propose a gateway and an efficient method for implementing the same, said gateway having an architecture which authorizes a bidirectional communication between applications located in different domains (that might have different security levels), presents a high assurance level of protection, efficiently uses hardware resources, is adapted to be used in an embedded environment, and allows an easier security certification without having the aforementioned shortcomings.